Microsoft decision puts public libraries at risk

Millions of Americans depend on libraries, Internet cafés, and other public locations for their connection to the Internet, and keeping these points of access safe from hackers is especially difficult.

Recently, however, Microsoft has made that challenge even more difficult for many public libraries.

The company announced it would not upgrade the free application, SteadyState, to Windows 7 compatibility, angering many of the folks who manage public-access PCs. People who manage library PCs say they don’t have money to pay for third-party products that protect public PCs from malware and malicious users.

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

People who manage public computers face daunting security and anti-malware threats. Microsoft acknowledged this fact when it introduced Windows SteadyState, an add-on for Windows XP and, later, Vista.

SteadyState essentially resets a computer whenever a user signs off, thus protecting his or her identity and data. It lets administrators restrict how users can interact with the computer — administrators can, for example, block access to programs, Web sites, the Control Panel, and disk drives.

SteadyState can also set time limits on user sessions and import user accounts (so that once you’ve set up an account on one PC, you don’t have to start from scratch on the others you manage). And when a user logs off, a feature called Windows Disk Protection erases all changes, ensuring a consistent user interface.

However, not only is SteadyState incompatible with Win7, Microsoft says it has no plans to introduce a Windows 7-compatible version. That’s leaving some IT managers scrambling for replacement technology and others vowing not to upgrade to Windows 7 at all.

Microsoft declined a request for an interview about the future of SteadyState (or to discuss dropping Guest Mode, a somewhat similar feature that appeared in early Windows 7 betas). Instead, the company provided, via its public relations firm, an e-mail response attributed simply to “a Microsoft spokesperson.”

“Microsoft is always investigating customer requirements and continually explores opportunities to meet customer needs in product offerings. Part of that process is prioritizing features we put into our products and making tradeoffs on what to support.

“For many organizations, the use of Group Policy and System Restore functionality provides the ability to manage and reset their PCs as needed; as a result, Microsoft will not be updating Windows SteadyState to support Windows 7. Organizations that require the extended functionality beyond what is offered within Windows 7 should explore third-party products which provide comparable functionality to Windows SteadyState.”

Using Group Policy and System Restore is not practical in a public, kiosk-PC setting. SteadyState treats each computer as a self-maintaining, autonomous system.

The first indication that there would be no Windows 7 version of SteadyState came in a March 10 post on Microsoft’s Windows SteadyState forum by moderator Sean Zhu. Responding to a forum member’s query, Zhu wrote: “I’d like to inform you that currently, there is no plan to develop a compatible version of Windows SteadyState for Windows 7.” Zhu did not elaborate.

Microsoft still maintains the SteadyState Web site, which lauds the tool’s virtues for shared Windows XP and Vista PCs — not just in libraries but also in Internet cafés, schools, and even homes. A product developed in the public’s interest SteadyState is descended from the Public Access Computer security software developed in the early 2000s by the Bill and Melinda Gates Foundation. It was part of the foundation’s ongoing drive to put computers into schools and libraries.

In 2005, Microsoft picked up the torch with the release of the Shared Computer Toolkit and then followed with SteadyState in 2007 for Windows XP.

Ironically, news of Microsoft’s decision not to support SteadyState in Windows 7 arrived in the same month as a Gates Foundation–funded, University of Washington study, which reported that some 77 million Americans used a library computer or Wi-Fi network to access the Internet last year.

As Microsoft’s statement on SteadyState suggests, there are other tools available for managing shared computers. At least one forum poster said he was able to install SteadyState on Win7 systems by using the new operating system’s Vista or XP compatibility mode. But at this time, it’s not known whether all features — particularly Windows Disk Protection — will work.

Third-party solutions, such as Faronics’ Deep Freeze, don’t appeal to cash-strapped educational institutions, which are already spending considerable money upgrading to Windows 7. Faronics does offer libraries and non-profits discounted volume licensing rates that lower the $45 price to about $30 for each PC.

“I think it’s worth it,” says Philip Boccia, Systems Librarian for the Long Beach, N.Y., Public Library. “But in these times a lot of libraries can’t afford it.”

IT consultant Michael Jurayj of Saint Paul, Minn.-based House Calls Technologies thinks he can re-create some of SteadyState’s features in Win7, but he’s not happy about it. Jurayj wrote in an e-mail:

“I can probably lock it down through the Group Policy editor and the Registry, but it will be more labor intensive and therefore more expensive [for customers]. Unfortunately, it will not be as elegant and because of the expense will be less likely to be used.”

As a result, Jurayj said, he’s thinking of offering his customers the option of rolling their machines back to Windows Vista so they can use SteadyState.

At least one forum member said lack of SteadyState support is a deal-breaker for Windows 7 upgrades. The poster, identified as Syb111, manages 200 computers. Syb111 wrote:

“We have decided to stay with XP and notify users that until Microsoft updates WSS to run with Windows 7, we will stay with XP and advise them to do the same. It’s simply not viable, especially in this economy, to spend the extra tens of thousands of dollars on the extra staff that would be needed to support an OS that we have come to the conclusion that even Microsoft isn’t prepared to support fully.”

Protecting yourself when using public PCs What about people who use PCs in public places? Long Beach’s Boccia says a lot depends on what the PC will let you do — which you might be able to determine only by trial and error. Boccia states, “Unfortunately, there is no visual cue to alert the user of what type of security the machine is using, unless the person is pretty tech-savvy and knows what to look for.”

Tips for using public PCs include:

Check how the PC is set up. What operating system is it using? (XP is obviously better for the reasons given above.) It shouldn’t let you poke around in the system settings such as the control panel and user accounts. Ironically, the less you can do on the PC, the better — it’s well-locked down.

You might even look behind the machine for any keylogger devices attached to the keyboard cable, where it plugs into the PC. For more on keyloggers, read the Bright Hub article, “Risky business, using kiosk computers.”

Avoid tasks such as online banking and credit card purchases that might leave sensitive information behind. But if you must do so, uncheck any box offering to remember your information and change your passwords as soon as you are on a PC you know is secure.

If you have access to browser options that let you clear the cache and wipe out cookies, you should use them. The best systems warn you that they will clear stored information such as cookies when you exit.

If you need to save a document, it’s up to you to bring a flash drive to store it on — or e-mail it to yourself and then delete it from the public PC. Be sure to empty Windows Trash.

Take similar precautions when using public Wi-Fi networks. For example, log into a user account without administrative rights when browsing on a public Wi-Fi network, Boccia says. “You don’t need admin rights just to browse the Web, create a document, and do e-mail, especially at a public wireless hotspot (or as I call it, surfing with sharks).”

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.

About Yardena Arar

Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor at PC World magazine from 1996 to 2009, and is now a PC World contributing editor.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.